Copy Link
Add to Bookmark
Report

HIR Issue 3: The Official HiR Guide to the Art of Social Engineering

First and foremost, I want to thank the Social Engineering Panel at 2600's Beyond HOPE In August 1997. I was not able to attend the meeting, but, thanx's to Izaac who RealAudio'd Most of the BH stuph, I was able to add quite a bit to my SE (Social Engineering) knowledge. Shoutouts to them all!

As I was mentioning, I gathered most of my information from personal experience, THE Social Engineering Panel at BH, and the Social Engineering FAQ.


Part 1: What exactly IS social engineering anyway?

Straight from the New Hacker's Dictionary, this is da definition:

social engineering: /n./ Term used among crackers and samurai for cracking techniques that rely on weaknesses in wetware rather than software; the aim is to trick people into revealing passwords or other information that compromises a target system's security. Classic scams include phoning up a mark who has the required information and posing as a field service tech or a fellow employee with an urgent access problem. See also the tiger team story in the patch entry.

okay, lingo check. Some may not be able to understand some of the words in there. (If the above definition seems at all hazy or vague to you, you really ought to pick up the Hacker's Jargon File or New Hacker's Dictionary). I'll go over a few less-commonly used words. Wetware is referring to the human brain. This will be discussed later. Samurai are hackers who hire themselves out for legal hacking jobs. The above definition does not include phreaks and hackers in the scheme. Matter of fact, social engineering doesn't have to be about technology at all (We'll talk about that later, too).

When you get right down to it, Social engineering is basically the same as "Bullshitting", except it is used differently, in a more subtle manner than flat-out lying.


Part 2: What is SE used for? What good is learning how to bullshit people?

Social Engineering is not typically done just for fun. Usually, it is an art reserved for finding out some info about a company, certain computer network or server, person, or product. One might try to use SE to get a password out of a person with a standard user-level account on a specific server (once a hacker has a user-level account, it's only a matter of time before he can get root on the system). Maybe you want free stuff. Who knows. Knowsing how to SE is a good thing to know, however. No metter how secure a system is, there is always the loser who isn't quite all there in-between the ears, and will divulge a password over the phone believing you're a tech. I am sure that you'll find that the computers may not have security holes, but the people who run them are the weakest link in the chain.


Part 3: How is SE done?

The first thing you do is gather info. Research. Do they have a web site? Go for it. Look for employee names, extension numbers, product or service lists. Do NOT jump into the situation blind. Jump into their trash bins, without getting caught trespassing, and look for anything and everything useful. You can even go up to them face-to-face, although this is a method I would not recommend to anyone. A more detailed way of getting information on your mark is to dial them up on the phone.

Sometimes you need to make multiple phone calls to your mark to get through. An SE panel member gave a good example that I will outline with my own paraphrasing cuz i don't know exact words. Call up your mark, and ask for a certain department, maybe information Services if it's a college, or some kind of thing like that. Ask for the manager/leader/head/etc of that department, and see if you can get a name. If you can't, hang up and call later, stating you need to mail something to the head of x department, and need the name and mailing address. Bingo, you have a name. Later, you can call and say "I need to fax John Smith this quote, could i get his Fax number" and you have even more info.

You can call somewhere, pretending to be a different branch (the BH people picked on k-mart) that's having some sort of problem, in this case, getting the PA system in the store to work. So the hacker calls up a random k-mart, asks for the menswear department, then, once menswear is on the phone, requests a manager. He tells the manager he's from a random k-mart in the phone book, and asked if he was having trouble using the PA system. The hacker said that he normally dials 50 to get on the PA but that isn't working, then the manager corrected him "50? I've never heard of that. Try 613." and hung up. Later he called back and asked for Shoes, then bullshitted about sandals for a while, then asked to be transferred to 613. After a couple of seconds, he blared into the phone, deepening his voice, saying "Attention K-mart shoppers: Everything in aisle 4 is FREE!" then hung up...

Another very good technique was utilized in that last scenario. Note that the hacker did not ASK for the extension to the PA system. He told the manager what he thought it was, then proceeded to let himself be corrected. this is a tactic that can be used to get passwords easily. Use research to find a mark that is potentially kind of slow, technologically. Don't pick a nerd to SE, pick the technophobe in he bunch, because a good scare will help them give you the info. Tell them that his system had a virus and you just cleaned it, and now you're checking everyone's accounts for traces, so it won't happen again. Tell them "according to our records, your password is xxxxxxxx (insert some stupid password there)." Sure as hell if he's really as dumb as you thought he was, you'll be corrected by him telling you what his password REALLY is.

SE is not limited to phone conversation, though. You can use the same technique with e-mail (spoofing, too), And in person, as i was discussing toward the beginning. I'll leave the e-mail up to you, as I have never seen it work without using phone SE too (Such as sending an e-mail from <some made up company>, and then calling and saying "yah, this is <some name> from <that made-up company>, i sent you an email the other day...") you get the picture.

I've only seen live social engineering work once, when some guy went into a company's doors with a huge array of A/V equipment, and fake press cards, saying they were putting together a documentary of technology in the kansas City area for journalism class as a final project, and wondered if they could include this place, talked to the big guy in charge there, who was more than happy to have some extra advertisement, and gave them a tour of the whole placee (or most of it). He taped everything. Things he got on tape were codes to unlock doors (they only had 3 different codes that he saw on about 8 doors), locations of certain rooms containing things of interest, he even got a tour of a big room that people were working in, and was fortunate enough to tape a guy logging on to a computer (although the last 2 letters of the password weren't seen, he knew what side of the keyboard they were on.) =]

You can call tech-support lines and SE with techs. In most companies, the technicians are GODS. They are omniscient, and can get you what you want. Be careful, though. They are usually fairly intelligent, too. You can try to get them to divulge specs on products, or maybe they can fax you a few white papers or whatever else they have access to.


Part 4: Extra Tips and helpful SE Hints.

If your mark is a large company (more than 500 people) than find out enough about that company to sound like you are with them. Most company members will tell co-workers anything they want to know.

Remember that humans are creatures of habit. People's habits can be monitored and exploited. Just remember that you, too are human. Hackers should strive to be an exception to the rule. Do not be a creature of habit, because that is how hackers are caught.

Using an accent is helpful. Make sure you stay on accent. Try Japanese, scottish, etc. (Note: The most accepted accents in the U.S. are British male and Southern Female)

To really throw your mark for a loop, combine SE tactics and SE them more than one way at the same time. Be careful though.

Remember that SE focuses on People as the weak link. This is because, unlike a computer, they respond to other humans and emotions (I.e. anger, kindness, rushed, etc). While you can exploit a secretary's emotions, you can't make a computer sympathize with you.


Part 5: Few final ideas

If you want to find someone's unlisted phone number, find out if they have cable T.V. or some other service (in a pinch maybe electricity would work). Call the cable, electrical, etc company, and SE them into giving you their #. (maybe you are ready to check out their cable and you're 1 and a half hours ahead of schedule, and wanted to call them to see if earlier service would be okay, whatever floats your boat) This may also work for addresses if you are a serviceman who "lost/forgot" the address...MAYBE.


Part 6: Conclusion

That pretty much sums it up for the HiR Guide to SE. I hope this information helps everyone out. Most of this is just common sense.

← previous
next →
loading
sending ...
New to Neperos ? Sign Up for free
download Neperos App from Google Play
install Neperos as PWA

Let's discover also

Recent Articles

Recent Comments

Neperos cookies
This website uses cookies to store your preferences and improve the service. Cookies authorization will allow me and / or my partners to process personal data such as browsing behaviour.

By pressing OK you agree to the Terms of Service and acknowledge the Privacy Policy

By pressing REJECT you will be able to continue to use Neperos (like read articles or write comments) but some important cookies will not be set. This may affect certain features and functions of the platform.
OK
REJECT